From be80f612ee151cbfd26221158cf1c86677bd5082 Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Fri, 6 May 2005 02:51:10 +0000
Subject: If we are going to 1. Copy a NULL-terminated string into a
 fixed-length buffer, and 2. copyout that buffer to userland, we really ought
 to 0. Zero the entire buffer first.

Security: FreeBSD-SA-05:08.kmem
Approved by: re (kensmith)
---
 UPDATING                 | 3 +++
 sys/kern/subr_bus.c      | 3 +++
 sys/kern/vfs_subr.c      | 3 +++
 sys/net/if_mib.c         | 1 +
 sys/netinet/ip_divert.c  | 1 +
 sys/netinet/raw_ip.c     | 1 +
 sys/netinet/udp_usrreq.c | 1 +
 7 files changed, 13 insertions(+)

diff --git a/UPDATING b/UPDATING
index ef309bef3aae..47bf051547f6 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20050506:		FreeBSD-SA-05:08.kmem
+	Correct several local kernel memory disclosure bugs.
+
 20050506:		FreeBSD-SA-05:07.ldt
 	Correctly validate inputs to the i386_get_ldt syscall.
 
diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c
index d941c0ce7996..4e5298eb69ec 100644
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -3741,6 +3741,7 @@ sysctl_devices(SYSCTL_HANDLER_ARGS)
 	/*
 	 * Populate the return array.
 	 */
+	bzero(&udev, sizeof(udev));
 	udev.dv_handle = (uintptr_t)dev;
 	udev.dv_parent = (uintptr_t)dev->parent;
 	if (dev->nameunit == NULL)
@@ -3812,6 +3813,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 * resource manager.
 	 */
 	if (res_idx == -1) {
+		bzero(&urm, sizeof(urm));
 		urm.rm_handle = (uintptr_t)rm;
 		strlcpy(urm.rm_descr, rm->rm_descr, RM_TEXTLEN);
 		urm.rm_start = rm->rm_start;
@@ -3827,6 +3829,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 */
 	TAILQ_FOREACH(res, &rm->rm_list, r_link) {
 		if (res_idx-- == 0) {
+			bzero(&ures, sizeof(ures));
 			ures.r_handle = (uintptr_t)res;
 			ures.r_parent = (uintptr_t)res->r_rm;
 			ures.r_device = (uintptr_t)res->r_dev;
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index 9f81999335da..3c3d95f44529 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2895,6 +2895,7 @@ sysctl_vfs_conflist(SYSCTL_HANDLER_ARGS)
 
 	error = 0;
 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		error = SYSCTL_OUT(req, &xvfsp, sizeof xvfsp);
 		if (error)
@@ -2939,6 +2940,7 @@ vfs_sysctl(SYSCTL_HANDLER_ARGS)
 				break;
 		if (vfsp == NULL)
 			return (EOPNOTSUPP);
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		return (SYSCTL_OUT(req, &xvfsp, sizeof(xvfsp)));
 	}
@@ -2958,6 +2960,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
 	struct ovfsconf ovfs;
 
 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&ovfs, sizeof(ovfs));
 		ovfs.vfc_vfsops = vfsp->vfc_vfsops;	/* XXX used as flag */
 		strcpy(ovfs.vfc_name, vfsp->vfc_name);
 		ovfs.vfc_index = vfsp->vfc_typenum;
diff --git a/sys/net/if_mib.c b/sys/net/if_mib.c
index 4f6631b8caab..0c11454ce69b 100644
--- a/sys/net/if_mib.c
+++ b/sys/net/if_mib.c
@@ -90,6 +90,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */
 		return ENOENT;
 
 	case IFDATA_GENERAL:
+		bzero(&ifmd, sizeof(ifmd));
 		strlcpy(ifmd.ifmd_name, ifp->if_xname, sizeof(ifmd.ifmd_name));
 
 #define COPY(fld) ifmd.ifmd_##fld = ifp->if_##fld
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 4a730f1d7b2d..563e819a2995 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -567,6 +567,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 116dfecde44e..0fe7f3c94559 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -847,6 +847,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 84108a225913..a96db3933e7d 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -611,6 +611,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
-- 
cgit v1.2.3